I refuse to get excited about a vulnerability when they won’t even give me an outside description of the problem. Often these vulnerabilities relate to some type of phishing attack, which is irrelevant if you don’t see the attack. Or they depend on you going to a compromised site.
It’s not really right that hackers know all about the vulnerabilities, and developers know, but the user is kept in the dark.
Edit: Looks like my browser is already in the “safe” zone.
Right. A mess up too far. In that TW backwards compatibility has been awesome so far.
TBH, I step back and look on on the current situation and say nowt more till later.
TT
Fair. But some googling (or DDGing) will get you the info - it’s a V8 attack. That, for me, is a “stop everything and patch now” kinda thing.
Your call.
Darling, ring me.
TT
It’s a javascript engine problem. That’s about all I could find (I did look and kept finding links that lead me to sites that didn’t tell me anything.) If it’s a javascript problem, then you would first have to visit a site that has been compromised in a way to take advantage of the vulnerability. But if a site has been compromised then – you’re already in trouble no matter what the vulnerability is. Then … what does the vulnerability allow? Unless it allows writing to the hard drive, which would be a major, major, major oopsie, what could it do after that?
So, once again. Just give me some info. I have two devices that sit in drawers because I performed a “necessary” update. There have been entire industries that came to a halt when they performed an essential update. Meanwhile, most actual attacks occur on the server side, not the client side of things.
As you’re no doubt aware, it’s not unusual for the specific details of a given exploit to go unpublished (or, at least, remain obscure). Because it can fool V8 into executing “any” code, you’re at the mercy of the great unknown. Executing arbitrary potentially malicious JS is not something I relish.
No. I know nothing. Here is obscure cricket as it is mean to be played …
TT
That’s more than any site I’ve found has indicated. But V8 can already execute “any” code that it has access to. So once again, you’d have to go to a compromised site. In which case the real issue is how the site got compromised. Unless a random hacker could visit a site, and write code to the server, and get the server to run it, it’s hard to imagine what damage could occur. And as TW users, we know how hard it is to get JS to write anything to the file system.
Possibly if someone could point out previous exploits and how they were used. But all the major exploits I’ve ever heard of were on the back end. Like Equifax failing to close server loopholes. Or administrators using passwords like “1234”.
On the client end, mostly URL phishing tricks so that you will navigate to the wrong site. Which can be avoided by not clicking on any links in email you receive. When engaging in business that requires credentials, go to the business site itself – don’t follow links.